How Attackers Use Extension Spoofing and How I Built a Tool to Stop Them

AnasRm01 — Mon, 09 Feb 2026 01:02:44 +0000

I got tired of seeing ransomware slip through because attackers just rename malware.exe to invoice.pdf. So I built a tool that validates file extensions against magic numbers in real-time.

What it does:

Monitors file creation/modification using inotify (Linux) or watchdog (Windows)
Checks if invoice.pdf is actually a PDF (magic number validation)
Quarantines mismatched files automatically
Outputs SIEM-ready JSON logs (Splunk/ELK/Wazuh compatible)
SHA256 hashing + user attribution

Why I built this:
During a recent IR engagement, we found ransomware that got past AV by being renamed to .docx. A simple magic number check would've caught it immediately.

Install (one command):

# Linux
curl -sSL https://raw.githubusercontent.com/AnasRm01/file-validator/main/install.sh | sudo bash

# Windows  
# Download and run install-windows.bat

Use cases I'm seeing:

Web server upload directories (/var/www/uploads)
Shared network drives
Employee Downloads folders
Compliance logging (PCI-DSS requires FIM)

Performance:

<10MB RAM, <1% CPU
Event-driven (not scanning loops)
Tested on CentOS, Ubuntu, Windows 10/11

GitHub: https://github.com/AnasRm01/file-validator

Open to feedback! What other file types should I add?

DEV Community: AnasRm01

How Attackers Use Extension Spoofing and How I Built a Tool to Stop Them